The DOJ's Insane Argument Against Weev: He's A Felon Because He Broke The Rules We Made Up

from the bad-news-all-around dept

We've covered the lawsuit against Andrew "weev" Auernheimer, in which the feds pushed criminal charges against him under the Computer Fraud and Abuse Act (CFAA) for discovering a massive (and ridiculous) security hole in the way AT&T set up the iPad. Basically, they saw that AT&T handed out iPad IDs in numerical order, and then left the website open, allowing him (and a partner) to just increment by number and get back email addresses on everyone who owned an iPad. The feds seemed to argue that this was some nefarious evil hack, and Auernheimer was sentenced to 41 months in prison and has to pay $73,000 to AT&T (roughly the cost it took AT&T to inform its customers of its own bone-headed lack of security). So much about this case is ridiculous, and it's complicated by the fact that nearly everyone agrees that weev is a world-class jerk. But, you need to separate that out from the details of what he did here, to note that it was nothing particularly special, and it involved the sort of thing that security researcers do all the time, and which all sorts of non-security researchers do quite often.

We'll dig into some of the details in a bit, but as Graham points out, the feds somewhat obnoxiously nearly doubled the word limit imposed by the Third Circuit (the brief is 26,495, but the court only allows 14,000 as an upper limit). This is ridiculously unfair, because it lets the DOJ go on, at length, making claims that are almost wholly untrue, and at times ridiculous, while weev's lawyers were hamstrung in limiting what they could put in their own brief. Welcome to the criminal justice system where the DOJ still seems to think it gets to play by its own rules.

And, really, that's the most ridiculous part of all of this, because while the DOJ wants to play by its own rules, nearly its entire argument against Auernheimer is that he "didn't play by the rules" where "the rules" it's talking about aren't actual rules at all, but rather what the DOJ makes up in the minds of some clearly technologically-illiterate lawyers.

The short version is that the government's case is quite scary in the way it portrays weev's actions -- such that it could easily criminalize all sorts of things. For example, it goes on about changing the user-agent, as if this is some awful thing and a form of "lying."

Spitler changed
the user agent in his Account Slurper program in order to trick the servers into
thinking that he was using an iPad.... He “lied to the AT&T servers” in order
to get the information.... Spitler gathered this information without asking for
permission from AT&T or from any of the iPad users that he was impersonating.... AT&T did not design its system to allow these email addresses to be
made public.

There are so many problems with this. First, there are no hard and fast rules about user-agents that suggest this sort of thing is breaking the law. As both Graham and Lee point out, if "faking" the user-agent is a form of "lying," nearly every browser does that and has for years. That's because years ago, Microsoft added "Mozilla" to its user-agent since many websites optimized for different browsers, and Microsoft wanted servers to believe it was competitor Netscape, which many sites had designed to be nicer. So pretty much all browsers "lie." Hell, for many years I've personally used "user agent switcher," a plugin for browsers, to change my browser user agent at times, mostly for simple testing on certain websites, and sometimes for reporting purposes (to see how different sites provide different info to different browsers). I never thought I was "lying" or coming close to committing a crime. It's just a bit of info a browser, or other piece of software, sends to a server to get information returned.

Similarly, the idea that AT&T "did not design its system to allow these email addresses to be made public" is simply, empirically, false. If they hadn't designed it that way, then weev and his partner wouldn't have been able to access it the way they did. The problem was clearly AT&T totally failed to lock down this system. Furthermore, they didn't need to "ask permission" because they sent a request to the server and the server answered. If they didn't have permission, the server would have rejected the request. It didn't. The problem was very clearly AT&T's. To charge weev with criminal charges for this is really insane.

Changing the user agent isn't breaking any "rules" -- except in the mind of the DOJ.

The DOJ really stretches to try to paint the actions by Auernheimer's partner as some masterful "hack" when the details suggest otherwise. The brief goes on at length about all the "steps" that Daniel Spitler had to go through to get access to the information, but most of the "steps" are ridiculously padded, because they have nothing to do with the "hack" itself, but were merely about Spitler trying to setup his computer to act like an iPad. That might sound odd and involved to the clueless lawyers at the DOJ, but this sort of thing is done all the freaking time by security researchers. That's how they can more easily test stuff out, by getting their computers to act like other machines. In theory, I guess, Spitler could have done the whole thing via an iPad, but what's the point? The whole idea was, in part, looking for security vulnerabilities. The fact that it took Spitler a bit of time and effort to get his computer to emulate an iPad has nothing to do with the scanning itself, but the DOJ uses it as if it shows how "difficult" AT&T made it to find these emails. That's wrong. AT&T made it quite easy to find the emails. The fact that Spitler had some trouble getting a computer to emulate an iPad is a totally separate issue.

From there, the DOJ starts playing dirty, pretending that because judicial law clerks can't find the same kind of security hole, it somehow means that Spitler and Auernheimer were up to no good:

If an ordinary, but reasonably sophisticated
computer user, like a typical judicial law clerk, had been assigned the task of
compiling a list of e-mail addresses of iPad users available on AT&T’s servers, he
almost certainly would not have been able to duplicate what Spitler did. The law
clerk would likely go to AT&T’s website and search in vain for any links or other
means to access this information. No hyperlinks or search engine requests would
have produced the desired results.

This is really obnoxious. The US Attorneys working on this case know that a judicial law clerk is going to make the key call on this case, and this is a way to flatter those law clerks, claiming that they're "sophisticated computer users." But a "sophisticated computer user" is quite different from a security researcher or a higher level technically proficient user. The fact that they couldn't find this info via a search engine is meaningless. No one is arguing that the info was available via search -- but rather that it was incredibly wide open because of a security hole, and yes, you'd need some level of technical proficiency to figure it out, but as far as I know there's no law making it illegal to be more technically proficient than a law clerk.

Later, the DOJ argues that using the ICC-ID number, which AT&T assigned incrementally is the equivalent of using a password. They're apparently not joking:

The argument that the ICC-ID “is not a password,” begs the question of
what counts as a “password.” Wikipedia defines a “password” as “a secret word or
string of characters used for user authentication to prove identity or access
approval to gain access to a resource (example: an access code is a type of
password), which should be kept secret from those not allowed access.”... MK makes the facile argument that an
ICC-ID is not a password because it is frequently printed on the outside of phone
packaging, and thus is not secret. But that cannot be correct. Combinations to
locks are often printed on the packaging, but the combination nevertheless is the
secret “password” that opens the lock. Openness to the public prior to purchase is
irrelevant, because after purchase the combination becomes the owner’s secret. So
too with an ICC-ID. Once a phone or other device using an ICC-ID is purchased,
no one can easily learn the ICC-ID unless he or she actually possesses it.

Try not to guffaw. Yes, even though the ICC-ID is just an incremental number, permanently stuck to a device, and is permanently printed on the device, the DOJ is insisting that it's still just like a password. The fact that combinations are printed on packaging is meaningless, because it's not meant to be left on the lock. Furthermore, this totally ignores the fact that the ICC-IDs were incremental. If AT&T had intended them to be secret, rule number one would have been to use a system that you couldn't guess others accounts merely by adding one. And it gets worse:

An ICC-ID, unlike a password, is a unique identifier. In that regard, when it
is used to gain access to a server, it can be even more secure than a password
chosen by a user, which frequently can be guessed. Certainly a 19 or 20 digit
ICC-ID is harder to guess using brute force than a typical four-digit ATM access
code, misuse of which would certainly constitute a CFAA violation.

Except, uh, that's not how an ATM card password works (and, yes, ATM cards are not particularly secure). You don't put your ATM card into a machine and it automatically reads the code off the card and lets you into your account. That is, the PIN code is designed to be separate from the card, with the idea being that to get into your account you need both something physical and something in your head. The ICC-ID isn't like that. It was designed to let the user automatically access their account without a password. There wasn't that second "thing in your head" that makes a password a password.

From there, the DOJ tries to attack the fact that the "hack" was merely adjusting the URL incrementally to access each account. It does this by arguing that because SQL injection attacks can happen via a URL, therefore any "hack" via a URL can be a malicious hack.

For example, Albert Gonzalez was the mastermind of a credit card theft
ring responsible for reselling more than 170 million credit card and ATM numbers
from 2005 through 2007, the largest such fraud in history.... Gonzalez’s ring used what is
known as an SQL injection attack, which can be performed by entering an
“address” in a URL or entering data in publicly facing web forms. In many
common SQL injection attacks, the challenge for the hackers is to determine the
correct characters to send to the network’s database storing the data the attacker
intends to exfiltrate. However, once the vulnerability is determined and the
appropriate combination of characters is discovered, many SQL injection attacks
can be reduced to a URL because malicious code entered into a form field in a
website is often delivered to the victim’s network from the attacker’s computer in
the form of a URL that includes within it the malicious string.

But, an SQL injection attack is very very different than merely incrementing a number in a URL. Yet, the DOJ wants to equate the two. That's crazy. It goes on to try to link the two things much more closely:

And the result of these attacks,
like the result in SQL injections, is that the browser returns unauthorized data from
a database. An SQL injection attack is among the most dangerous and notorious
hacks used today...

Sure, an SQL injection attack can be "dangerous and notorious," but that's because it's entirely different than incrementing a number. An SQL injection to gain much more power over an entire server is not the same as just flipping through pages that are easily available. The attempt to link the two is crazy, but certainly could be used to mislead a less technically savvy "law clerk," for example.

Later, the DOJ further argues Auernheimer and Spitler were guilty of bad things because they didn't contact AT&T, but rather purposely chose to go to the press (specifically, Gawker) to publicize the discovery of the security vulnerability. While it's true that it's common to alert a company ahead of time, the fact that they didn't do this is kind of meaningless here. If they were really up to no good, they wouldn't have publicized the vulnerability at all. Yes, they sought to "benefit" from it: they wanted to use it to get attention for their security work at Goatse Security. But using the discovery of a security vulnerability to help get attention for their own security research operation doesn't seem like evidence of nefarious intent. In fact, it seems like exactly the opposite. Then there's this craziness:

The groups of security researchers and computer professionals who have
filed amicus briefs in this case need not be troubled by this prosecution of this
black hat hacker. Major technology companies today – Microsoft, Google,
Facebook, PayPal, and Mozilla, to name a few – all pay bounties to white hat
hackers who find flaws in their systems and thereby help keep them secure. The
Government is not aware of any instance in which a security researcher who
followed the rules of ethical hacking was prosecuted for violating the CFAA.
Often, when a white hat hacker discovers and reports a security flaw, he is
rewarded financially for his work by the company that he has hacked. But no one,
not even a white hat hacker, gets to make his own rules.

Except, as Graham notes, the list above is the entire list of tech companies who pay bounties to white hat hackers. Most tech companies don't do that, including... AT&T. Furthermore, Graham highlights this wacky line: "The
Government is not aware of any instance in which a security researcher who
followed the rules of ethical hacking was prosecuted for violating the CFAA." Yes, they're back to their made up "rules." As Graham points out in response:

This is circular logic, saying that people who follow the rules don't break the rules. When the prosecutors make the arbitrary decision that you've violated the CFAA, they'll likewise decide that you don't follow the rules of ethical hacking. Such circular logic is the basis for the prosecutor's entire argument: Weev is a bad guy because he's a bad guy.

When that's the way the law is read, you no longer have the rule of law. And that's why the case against Auernheimer is so ridiculous. It only works if the feds get to make up the rules as they go along, and argue that something is wrong, because they say it's wrong.

Word limit and "rules"

I don't suppose the DOJ lawyers can be sanctioned for filing an over length brief? Also I think an appropriate remedy would be to truncate their brief at the 14,000 word limit and fine the lawyers $0.10 per word over the limit. By my count that would leave the lawyers on the hook for $1,249.50 and their brief might make even less sense than it does currently.

Re: Re: Re: Word limit and "rules"

Expert Hackers is a professional hacking team based in India. We have testimonies from our numerous clients around the world. We are the best hackers alive. We specialize in hacking the following: * Hack and UPGRADE UNIVERSITY GRADES * Hack into any BANK WEBSITE * Hack into any COMPANY WEBSITE * Hack into any GOVERNMENT AGENCY WEBSITE * Hack into SECURITY AGENCY WEBSITE and ERASE CRIMINAL RECORDS * Hack into any DATA BASE * Hack PAYPAL ACCOUNT * Hack WORD-PRESS Blogs * SERVER CRASHED hack * Untraceable IP etc * We can restore LOST FILES AND DOCUMENTS , no matter how long they have been missing NOTE We can also teach you how to do the following with our e-book and online tutorials * Hack and use Credit Card to shop online * Monitor any phone and email address * Hack Android & i-Phones * Tap into anybody's call and monitor their conversation * Email and Text message interception contact us at professional.hacker55@yahoo.co.uk

Re: Re:

Who's to say they didn't edit the entry just to snapshot it for use in the brief? Either way, the filing completely misunderstands the context of a password. Passwords are not supposed to be an incremented number. An incremented number is nothing more than an ID number, hence being the ICC-ID.

Basically, they saw that AT&T handed out iPad IDs in numerical order, and then left the website open, allowing him (and a partner) to just increment by number and get back email addresses on everyone who owned an iPad. The feds seemed to argue that this was some nefarious evil hack...

I guess that makes me a "nefarious evil hack" too. I use this same technique right here on Techdirt when I want to see the first comments a user has ever made, instead of paging thru them all.

For example:

I change the "start=20" to "start=2780" part of this address to see my first comments:

Logic Fail

And the result of these attacks, like the result in SQL injections, is that the browser returns unauthorized data from a database. An SQL injection attack is among the most dangerous and notorious hacks used today...

Let's get this straight. Because A and B result in the same thing and B is bad, A must be bad.

Hmmm...

If I put my ATM card into the machine and enter my PIN, money comes out. If I smash the ATM machine with a hammer, money comes out. ATM use = felony.

If an ordinary, but reasonably sophisticated computer user, like a typical judicial law clerk, had been assigned the task of compiling a list of e-mail addresses of iPad users available on AT&T’s servers, he almost certainly would not have been able to duplicate what Spitler did.

The DOJ's and mine definition of sophisticated computer users are distant cousins on this one.
Any sophisticated computer user would know to look at the URL to notice patterns, that is basic stuff.
I do it here on Techdirt, since I have scripts disabled I have to look at the source page to read hidden comments and to answer to those I copy "cid=" after I click in any other "reply to this", one day my lazy ass will get to write a proper script to replace all instances of hidden comments with a proper link that I don't need to look up at the source, but this is simple, even download managers take advantage of that and allow people to batch download based on patterns.

Re:

If an ordinary, but reasonably sophisticated computer user, like a typical judicial law clerk, had been assigned the task of compiling a list of e-mail addresses of iPad users available on AT&T’s servers, he almost certainly would not have been able to duplicate what Spitler did.

So, what would such a user do assuming a reasponable level of intelligence?

They would seek out someone with greater knowledge who would then supply them with the information required to do what Spitler did.

Re:

There is a lot in the DOJ's filing that is "just being clueless". The problem is the judges typically aren't tech savvy and think that if the DOJ argument makes sense then the person must be guilty even if they don't understand how...

That's why you see the DOJ referring to judicial law clerks as "reasonably sophisticated computer user"...

Re: Re:

the rules

The 'rules' about the User-Agent are defined in RFC2616:

The User-Agent request-header field contains information about the user agent originating the request. This is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations. User agents SHOULD include this field with requests. The field can contain multiple product tokens (section 3.8) and comments identifying the agent and any subproducts which form a significant part of the user agent. By convention, the product tokens are listed in order of their significance for identifying the application.

Re: the rules

well.. considering that the mandatory browser used on most government systems these days is Internet Explorer and that this browser is lying by default in its user-agent that it is "Mozilla" (when it obviously isn't made by Mozilla), i think the DoJ has a HUGE problem of a barge loads of pots calling on a single kettle...

using DoJ's logic: ALL the systems used by the DoJ/US Government and its agencies are illegal and ALL their computer users should be thrown in prison for lying in the user-agent. Start with Obama, please, he uses government computers too /:p

Re: the rules

Erm, that might not be the stated purpose but they do appear to provide the tools:

"The field can contain multiple product tokens (section 3.8) and comments identifying the agent and any subproducts which form a significant part of the user agent"

Sure, section 3.8 states "They MUST NOT be used for advertising or other non-essential information". But if you did this anyway, that would simply mean that they're not RFC 2616 compliant, not that they're suddenly not user agents - and AFAIK no law says that something needs to be compliant.

Re: a unique identifier is surely a username not a password?

indeed more like a db-assigned numeric id which is akin to a username. Its goal is identification not authentication (i.e. validation of identity). There's so much wrong with this brief it boggles the mind. Best of luck to weev's lawyer.

Re: No sale

If they have to stretch logic to put weev away, I'm for it.

So you are against the rule of law. I understand. The trouble is that once everyone is OK with law enforcement lying and distorting in order to obtain convictions, they will do so routinely for everyone, not just for people you personally hate.

Re: Re: Re: No sale

Do you know who "weev" is? Do you know what he does? Do you know how many lives he's destroyed?

It doesn't matter. He could be satan incarnate, and it would still be a bad idea to "stretch" the law just to provide a bit of retributive "justice". Not because of who he is, but because that kind of "justice" will end up being applied to us all.

First they came for the hackers...

Here's a line from an old play, 'A man for all seasons', that you might want to think about before demanding that someone be taken out at all costs, even it it means bending, breaking, or creating new laws specifically to do so, just because you don't care for them.

Sir Thomas More: What would you do? Cut a great road through the law to get after the Devil? ... And when the last law was down, and the Devil turned round on you – where would you hide, Roper, the laws all being flat? This country is planted thick with laws from coast to coast, Man's laws, not God's, and if you cut them down – and you're just the man to do it – do you really think you could stand upright in the winds that would blow then? Yes, I give the Devil benefit of law, for my own safety's sake!

Re: No sale

Re: No sale

"There is nothing that would make me sympathetic to weev. "

And nobody is asking you to be sympathetic to him, only to consider the bigger and far more important picture. If Weev's online actions deserves punishment (as I absolutely believe they do), then he should be punished for those actions, and not trumped up charges that could result in a terrible legal precedent that will have chilling effects on legitimate online security research and be used to unfairly or disproportionately punish others that you don't happen to dislike.

Re: Re: Re: No sale

Poe's Law - there's a lot of people who honestly believe that crap, even if he's being a troll. But, if some good points came out of it, then it was not a waste of time and the troll managed to get some real value out of the conversation. Troll fail, methinks.

Re: No sale

"The Justice Department used the tax laws to get Capone."

...and Capone was actually guilty of what he was jailed for. They didn't stretch logic to put him away, they simply prosecuted him for the crimes they could show he committed, rather than the more serious charges they suspected but could not prove he committed.

That's a very different thing to what you're supporting here, which is "there's one thing we think he's guilty of, and we'll say whatever we can to make him guilty".

"I'm offended that he gets a full share of our collective oxygen."

I'm offended that someone who thinks that "I don't like him" is a good enough reason to put him away gets a full share of our collective oxygen. Does that mean I can get rid of you?

Ugh

I usually use Iceweasel, a variant of Firefox, as my browser. As a result, I routinely change my user agent ID to get around idiotic websites that use it to decide whether or not my browser will work with them.

I also routinely directly edit URLs, because in many idiotic websites, navigating that way is easier than clicking around all the time.

Mike's arguments are similary ridiculous

>> Furthermore, they didn't need to "ask permission" because they sent a request to the server and the server answered.
That's irrelevant. If I failed to lock the door, this doesn't mean that it's OK to enter. It doesn't matter that you made a "request" (turned the knob) and door-lock "answered". It's still trespassing.

>> It does this by arguing that because SQL injection attacks can happen via a URL, therefore any "hack" via a URL can be a malicious hack.
Argument here is presented incorrectly. What DOJ tries to tell, is that "mere URL" can be quite dangerous thing, depends on content, like in SQL-injection.

So, like in many other cases it's matter of intent. If this guy is known to be "world-class jerk", he will (probably) have hard time trying to prove that his intentions were harmless.

Re: Mike's arguments are similary ridiculous

That's irrelevant. If I failed to lock the door, this doesn't mean that it's OK to enter. It doesn't matter that you made a "request" (turned the knob) and door-lock "answered". It's still trespassing.

Extremely different. Turning a doorknob is not making a request -- it's physically opening. Sending a URL *is* (literally) making a request to a server to send info back. And that's what happened.

What DOJ tries to tell, is that "mere URL" can be quite dangerous thing, depends on content, like in SQL-injection.

But that's a total misread of weev's argument. A "mere" URL *as presented by the server* and then incremented up or down is quite different than sticking an SQL injection command hidden in a URL.

Re: Re: Mike's arguments are similary ridiculous

>> Turning a doorknob is not making a request -- it's physically opening
So, by this logic, if I have a door operated by button it will be different, because pressing the button is "a request"? That's not how criminal justice (supposed to) work.

>> A "mere" URL *as presented by the server* and then ...
I think you have no idea how SQL-injection works. You _also_ take "URL as presented by server" and modify it to your needs. Yes, it's quite different from discussed case, but that's not what is argued. The argument is "just because it's URL it doesn't mean it's harmless"; as one can see slightly modified URL can bring a lot of action.

>> They're comparing apples and oranges.
Comparing apples and oranges is OK if all you need to estimate mass of cargo, for example.

I don't mean that guy did "41-months-in-jail-serious-crime". But, I do mean that DOJ's logic is not "insane".

Re: Re: Re: Mike's arguments are similary ridiculous

Here's a much better analogy for you. Sending a request is like knocking on the door. The server responding is like someone inside opening the door and handing you something. Each ID was a door, and weev was knocking on multiple doors and all of them opened up and AT&T handed him something. Now the DoJ is trying to say weev was a criminal because he was knocking on multiple doors.

Re: Re: Re: Mike's arguments are similary ridiculous

Are you for real?

SQL injection involves carefully crafting a URL by inserting improperly formatted data so that the server misinterprets a piece of the URL as an SQL command instead of the original purpose that piece of the URL was responsible for. It is this misinterpretation that results in privilege escalation and subsequent unauthorized access.

That's the big difference between SQL injection and what happened here. This "hack" provided exactly what the server was expecting, a perfectly valid properly formatted numeric identifier. There was misinterpretation of data by the server, no privilege escalation, and no unauthorized access.

Re: Re: Re: Re: Mike's arguments are similary ridiculous

Re: Mike's arguments are similary ridiculous

That's irrelevant. If I failed to lock the door, this doesn't mean that it's OK to enter. It doesn't matter that you made a "request" (turned the knob) and door-lock "answered". It's still trespassing.

Better example. I found the address of your home. I write a letter, and I put an address (i.e. URL) on the front of it. You receive my mail, write a letter of your own, and reply to me.

Re: Mike's arguments are similary ridiculous

A better analogy would be if my bank were left open in the middle of the night with the safe open and no cameras or security guards in sight. Anyone can just go in and rob the bank and take my money from it. So a passer by walks in and notices that the bank has no security.

This is not a private house. It's more akin to a bank carrying everyone else's information. When they carry my information I have a right to ensure that my information is secure and if I find insecurities everyone else has a right to know about them so that they can choose to act accordingly (ie: not do business with that company, remove their information from it, contact it, etc...).

I agree that the researcher probably should have contacted the company first in secret (if he didn't). But these days a possible response is that the company

A: Won't fix the vulnerability and will likely ignore it

B: Will sue the white hat hacker upon publicly revealing the vulnerability.

These corporations did this to themselves and they deserve the fact that no one 'plays by the rules' because the rules are broken and written by corporations and the corporations never play by them anyways and they get away with it. The rules should be that the corporations get punished by the law for having such disregard for the security of their users. But no, our laws are backwards.

Re: Re: Mike's arguments are similary ridiculous

Oh god no that's an even worse analogy. Don't try to confuse this with stealing money, or in fact anything. You're not wandering into something or sneaking past security, you're asking if you can go in and answered in the affirmative.

If people really want an analogy, it's like asking if you can enter an apartment building to visit a specific apartment. You're only "meant" to ring the bell of the apartment of the person you're intending to visit, but you've worked out that if you press any of them you can get in if there's someone to answer. So you're "hacking" the security system by the DOJ's logic here but all you're doing is making a request (to be allowed into the building), which is answered and authorised, even if you're doing it in the correct way.

It's still a very flawed analogy that doesn't cover what you do once inside the building, of course, but most reasonably people wouldn't count the bell ringing as breaking and entering. Weev's actions are more akin to having noted down the names on the lobby mailboxes once he gained access.

"These corporations did this to themselves and they deserve the fact that no one 'plays by the rules'"

I agree. If only the response to this was "suck it up, corporation and learn from your mistakes" rather than "we must prosecute this person as a lesson to others not to notice security flaws"....

Re: Re: Re: Re: Mike's arguments are similary ridiculous

"I didn't say that the passer by stole money just that they noticed that there is no security."

Well, you did say the following directly before that:

"Anyone can just go in and rob the bank and take my money from it."

Sorry if I misinterpreted you, but that's why these things can often turn into arguments about something they're not. It's a bad analogy because you introduced the concept of crimes far more severe than the one that happened and thus change the scope of the discussion.

" 'Stealing money' in this analogy would sorta be if the person used the private information gained for financial gain."

True, but you're using the analogy to describe a situation where - as far as I'm aware - that did not happen, so it doesn't belong. Even if it did, weev would have been trying to get money from exposing the security flaw, not by simply robbing the data/money behind the flawed security.

I understand what you were getting at, but the analogy was not appropriate.

Re: Mike's arguments are similary ridiculous

Why is it that people who disagree with Mike's points not only act like assholes about it, but fail to understand the technology themselves?

"t doesn't matter that you made a "request" (turned the knob) and door-lock "answered"."

This is a horrific analogy that misunderstands at least 2 major technical points. Other have corrected you below, but FFS if you're going to discuss things with bad analogies at least try not to be a dick about it.

"If this guy is known to be "world-class jerk", he will (probably) have hard time trying to prove that his intentions were harmless."

...and this kind of attitude is exactly why these attacks on due process and rights are so dangerous. You're not only supporting a "guilty until proven innocent" approach, but supporting "I don't like that guy" as a valid reason for prosecuting in the first place. How do you think this will ever end well?

Re: Re: Mike's arguments are similary ridiculous

>> ...and this kind of attitude is exactly why these attacks on due process and rights are so dangerous
You are confused about what due process is. Since this is different in every country, let me tell you what it is NOT. It is NOT blind application of pre-coded (in laws) rules. That's what computer does. What a judge does, is another thing entirely.
Let me bring you an example. You drop a hammer from your window and someone is killed. Only human can decide whether you killed someone in cold blood or just was careless. If you're already convicted in murder felon, you will have _very_ hard time arguing "just careless".

That's why in almost _any_ trial intent and character matter. So, yes, it is important whether I "like that guy".

Re: Re: Re: Mike's arguments are similary ridiculous

Yes, he evaluates all evidence before him and judges depending on that, which may or may not include character evidence depending on the crime at hand. Not whether or not he personally likes the guy.

"Only human can decide whether you killed someone in cold blood or just was careless."

...and that human will be evaluating all available evidence, including witness statements, video evidence, physical evidence at the scene, among other things. Character evidence may be used to sway a verdict where such evidence is absent or unclear, but it's not used where such evidence is clear. Who cares what kind of an asshole someone is when there's video evidence showing it to be a clear accident?

You suck at analogies.

"If you're already convicted in murder felon, you will have _very_ hard time arguing "just careless"."

What, exactly are you interpreting from my words? Not what I'm saying, since you managed to come up with the exact opposite. YOU were the one trying to say he should be assumed guilty unless proven innocent ("prove that his intentions were harmless"). How you managed to come up with the idea that I was saying he should be arguing intent after conviction is beyond me.

So, it looks like your grasp of the arguments in front of you are as poor as your grasp of the technology (which you didn't defend, by the way - interesting). I'd agree that someone as reactionary and ill-informed as you should not be hearing this particular case, but other than that you've not really made an argument.

Ugh

The guy exploited a vulnerability in a third party system to collection personal information on thousands of people. I'm pretty sure that's exactly what the CFAA was written for. Your argument seems to be "it was so easy it can't really be criminal." This wasn't some automated script that accidentally found a hole, it was targeted and intentional.

Re: Ugh

Except this wasn't done maliciously otherwise Weev wouldn't have gone public with the information. Not contacting AT&T doesn't matter, since there's no law saying that if you find a security flaw you must contact the relevant company.

Re: Re: Ugh

>> Not contacting AT&T doesn't matter
Wrong, it does. It shows intent. You saying that "this wasn't done maliciously", and DOJ arguing otherwise. That's a core of an argument, the rest is technical explanation about what's happened.
Now, going public _can_ be seen as malicious (attack on reputation, for example).

Basically, that's why courts are ruled by judges (or juries) and not by machines - to decide about such fuzzy thing as "intent".

Re: Re: Re: Ugh

However, this occurred after weev had informed AT&T of the issue in AT&T's own words.

Anything else is irrelevant, as any ethical hacker has an obligation to confirm that their findings have been acted upon.

Any company that doesn't act on this, really, deserves everything they get, and that would apply even if I were directly affected. Would I be happy about it? Hell no! But the company would be the one I blamed in a similar situation.

Re: Re: Re: Ugh

I don't think you understand what the DOJ is doing in general and more specifically with the CFAA. The federal court system has moved away from using intent as a critical element of a crime. Weev was charged with conspiracy to commit unauthorized access as well as fraud. The unauthorized access charge does not require them to show intent one way or another,just that the access was unauthorized. Thus, the technical explanation of how the access occurred is the core of the argument. The fraud charge does require intent and this is why the DOJ uses pained logic to show that Weev benefited from disclosing the vulnerability. The trouble is that that logic can apply to any, I repeat, any security researcher who discloses a vulnerability. It doesn't matter if the disclosure is full disclosure or responsible disclosure the researcher can be convicted of a crime because at some point they had to confirm the vulnerability by using it.

Re: Re: Re: Ugh

Re: Re: Re: Ugh

"Now, going public _can_ be seen as malicious (attack on reputation, for example)."

It'll be a terrible day for internet security when damaging a company's reputation by revealing their security weaknesses is seen as a bad thing. Company's entrusted with their customers' private data should be under constant and meaningful scrutiny, and should never be led to believe their reputation is more important that their customers' privacy. In fact the fallout from a malicious data breach is arguably far more damaging to a company's reputation than fixing a publicly exposed security flaw.

"Basically, that's why courts are ruled by judges (or juries) and not by machines..."

Judges are there to ensure the law is followed. Punishing historic trollish behavior, no matter how despicable, would not be following the law in question.

Re: Ugh

The critical point that distinguishes access of a computer from unauthorized access is the authorization step. The DOJ is bending over backwards to try to show what they did was unauthorized and so now pretend that an ICC-ID is a password. This ignores the fact that accessing your ATT account for an Ipad 3G requires a real password. ATT automatically filled in the email address whenever a server request was sent to get the page that asked for the password. A violation of the CFAA requires unauthorized access. How can the DOJ claim the the ICC-ID is a password when the very next step in the process of accessing an ATT account requires a real password. Spitler and Weev never accessed anyone's account.

Re: Re: Ugh

"You apparently aren't that technical, but to us programmers this is like charging someone with B&E when all they did was trespassing."

No, to *us* programmers, it's like charging someone with B&E when all they did was knock on the door, someone answered, and handed them something.

The whole model of URL as physical spaces is ridiculous, though. There is no physical space at a URL. Anything that's available on the internet and not passworded IS BEING BROADCAST ONTO THE INTERNET ON PURPOSE.

The real metaphor is this: Weev changed the channels on his cable box a few times, and came across AT&T broadcasting their customers' private information.

Oh poor weev

It looks like Karma came back around. Weev is an unmitigated asshole and a should be in jail for what he did in the past. If he had been some anonymous guy who accidentally found this information, I have a feeling this would be handled differently. He should really be in federal pound me in the ass prison.. so maybe he can see what it feels like to be scared to death and frightened 24/7.

and before long, someone is going to shoot one messenger too many and there's gonna be some serious shit splattered about! all this and similar law suits are about is finding someone, anyone, to be the fall guy and the company concerned as having done all they possibly could to secure their systems and customer info, but some nefarious ass holes, using all manner of illegal methods, managed, after hours of trying, to break in and steal some details, some info, that wasn't sitting out front with a 'pick me' label on!
the really sad thing is that Obama was going to protect 'whistle blowers' and instead just shit on them! and just a few days ago, one of the security agencies wanted people to start spying on neighbours. anyone that did this must be out of their trees! the first ones in jail would be them, while those being spied on would be laughing their bollocks off!!!

ICC-IDs

The ATT/Apple assignment of ICC-IDs are not sequential. There is a number space of 100 billion to 100 trillion within the overall 20 digit ICC-ID set that is assigned to Apple. At that time there were (I think) roughly 200,000 ICC-IDs assigned in this block. They are assigned somewhat randomly from chosen sub-blocks.

Owners of an iPad 3G must provide an email address, billing address, and a password to complete registration and activate AT&T’s 3G service. When users log-in to the AT&T website for 3G subscribers they must provide that email address and password. AT&T made this process easier by automatically pre-populating the email address on the log-in page. A twenty digit ICC-ID (Integrated Circuit Card Identification) number uniquely identifies the SIM (Subscriber Identity Module) card of any device with cellular network connectivity. The iPad browser’s HTTP request for the log-in page, contained the iPad’s ICC-ID in plain text within the URL. The browser’s “user agent” (a portion of the HTTP header) is one specific to an iPad. When the ATT server received such a request from an apparent iPad it would return the log-in page with the correct email address already supplied as long as the ICC-ID was one that matched a registered user. This feature, that made logging easier, also made it insecure. Note, that the email address is supplied before any authentication is done using a password.
How does one collect email addresses from multiple ICC-IDs? One way is to, sequentially, go through all the potential ICC-IDs and collect the emails received from the relatively few requests that were successful. Of the twenty digits the first two represent the Major Industry Identifier (MII, 89 for telecommunications). The next two are a country code (CC, 01 for the US). The next 1-4 digits are for the issuer, which is Apple in this case. These are not published but every iPad reveals one of them. This leaves 11-14 digits for the account number. The final digit is a check digit for error detection. So, one has to go through, roughly, 100 billion to 100 trillion ICC-IDs to find all the valid ones for Apple iPads. That is a pretty large number. Daniel Spitler wrote a simple PHP script that was colorfully named "the iPad3G Account Slurper", to automate the procedure. The set of valid ICC-IDs are not sequential. After some initial success they were having a problem finding valid ones. They guessed that the iPad 3G used ICC-IDs from different blocks of numbers. The ICC-ID is printed on the SIM, so they guessed these blocks based on Daniel Spitler’s iPad, those of acquaintances, and from public pictures of the iPad 3G shown on Flickr and other photo websites.
An app could have been written for the iPad. Since it would be unlikely such an app would be approved by Apple this would have to done with a jailbroken iPad. Such an app would still need to “spoof” the “user agent” of the browser for the iPad. Another option is to write a script for use on a computer that is not an iPad and, again, utilize a spoofed “user agent”. Whichever approach was taken, the result was that, altogether, approximately 120,000 email address/ICC-ID pairs were collected over a period of several days from June 3, 2010 up to June 8, 2010.

Note that Spitler identified the sub-blocks that Apple used by finding ICC-IDs from pictures of Ipads on Flickr. If the ICC-ID were a password why would people post this number publicly on their Flickr account? Also, the painfully obvious flaw in the DOJ's argument about ICC-IDs being passwords is that a real password was required right after ATT so helpfully filled in the email address in response to a valid ICC-ID.

responsible disclosure, contacting ATT

The crux of responsible disclosure is that the company responsible for the faulty software or hardware is notified of the security vulnerability and given a reasonable amount of time to fix it before the vulnerability is made public. This actually happened in this case. Neither Weev nor Spitler directly notified ATT. However, they did wait until the vulnerability was fixed before Weev gave Ryan Tate of Gawker the list of email/ICC-ID pairings. Weev sent emails to various members of mainstream media whose email addresses were included in their acquired list. For each media person he included only their own email/ICC-ID in the email he sent. He also invited them to interview him about the ATT security breach. In this way he was indirectly notifying ATT of the breach as well as attempting to garner more publicity. Weev and Spitler waited until they could no longer repeat the retrieval of email addresses with their slurper program before contacting Ryan Tate. This meant that ATT had closed the security vulnerability.

Mmm, begging the question...

The argument that the ICC-ID “is not a password,” begs the question of what counts as a “password.”

Actually, it does not "beg the question". Pet peeve of mine. It's funny, because if you look up "begging the question" on wikipedia (they were already there, looking up "password"), you would see that begging the question is actually...well, I'll just let Robert Graham handle it.

This is circular logic, saying that people who follow the rules don't break the rules.

Re: Mmm, begging the question...

Yeah, this is one of my pet peeves, too, although I have pretty much given up on it. But, for the record, "begging the question" means an answer to a question that itself raises the same question. It is an incredibly common logical fallacy. A great recent example is from the same-sex marriage debate: asserting that same-sex marriage should not be legal because marriage is a union between a man and a woman is begging the question.

The argument that the ICC-ID is not a password raises the question of what counts as a password.

Re: Re: Mmm, begging the question...

Exactly - begging the question == circular logic. I'll have to remember your SSM example, as I always have trouble trying to provide examples of circular logic, because it's so darn stupid and I can't bring myself to that level of stupidity easily.

I probably wouldn't have said anything either, if not for Mr. Graham's quote containing the definition of "begging the question".

When corporations practice poor security why do those that discover their vulnerabilities get penalized. The law should punish the corporations for not properly protecting their users instead. This is negligence on their part.

Appeal Consequence

If Weev has a successful appeal, (this I doubt)
this will damage use of the CFAA and there would be in the records of a court proof that AT&T had stored confidential customer in a dangerous insecure way. The consequence ought to be customers suing AT&T for putting their real identities and good names at risk.

Re: Appeal Consequence

The real consequence *should* be customers leaving AT&T for a more competent competitor and them losing money as a result. The market speaking would be preferable to lawsuits.

However, this would assume both that AT&T have real competition and that the average consumer is both willing and able to understand the security problems introduced to the degree where they'd be spurred into action - neither of which is sadly likely.

HELD FOR CENSORSHIP

Thanks for your comment.
It will be reviewed by our staff before it is posted.

No, Mr Masnick THANK YOU for displaying your willingness to abuse free speech and censorship, and displaying to your readers that you are as big an abuser of free speech and censorship that ANYONE you write about.

Thank you for displaying that abuse in such a clear concise manner, and showing (eventually) that you are certainly NOT above such abuses..

DOJ and AT&T are off-base here

Iterating a user number is standard practice when evaluating the security of a given system, and is something that many information security professionals routinely do - even for their personal device accounts.

How Weev's prosecutors are making up the rules By Robert Graham

Much was said well in Mr. Graham's article about the illogic of the government's argument about "hacking." But on the issue of the government brief exceeding the word limit for briefs filed in the Third Circuit, nothing was said as to whether the government lawyers sought, or not, the Court's permission to exceed the normal word limit. And the article only assumes that Mr. Auernheimer's attorney(s) needed to exceed the 14,000 word limit, and somehow were unfairly denied permission to submit a lengthier brief.